Linux kernel gets fix for 11-year-old root hole in DCCP code

Linux developer Andrey Konovalov has released a fix for an 11-year old bug in Linux kernel. The security hole is in the support for Datagram Congestion Control Protocol (DCCP) that was introduced in 2005.

The flaw can be exploited by malicious software on a vulnerable device or gain root-level access when users logged into their accounts. Once reached through a backdoor, attackers can leverage the vulnerability to compromise the system and even acquire a box from a connected network or Internet. Moreover, the programing blunder is in how DCCP code handles a socket buffer (skb).

According to the email list announcement by Konovalov, an skb for a DCCP_PKT_REQUEST packet is forcibly freed via __kfree_skb in dccp_rcv_state_process if dccp_v6_conn_request successfully returns. An attacker can then gain access and control what object that would be ad even rewrite its content with arbitrary data. If the object has any triggerable functions, attacker can execute the arbitrary code in the kernel.

“An attacker can control what object that would be and overwrite its content with arbitrary data by using some of the kernel heap spraying techniques,” explains Konovalov.

Basically, the bug can save the skb’s address and its reference counter incremented and exploit use-after-free method. The a fix has been released for the Linux community to reduce instances of the DCCP flaw.

It is recommended to update your system as soon as your distro gets the patch. Meanwhile, you can remove the buggy DCCP support from your kernel to avoid the impact of the vulnerability.